Support Center > Search Results > SecureKnowledge Details
TPM Support in Full Disk Encryption - Questions and Answers Technical Level
Solution

How is the Trusted Platform Module (TPM) used?

The Check Point Trusted Platform Module (TPM) implementation uses the TPM to measure pre-boot components. If they are not tampered with, the TPM will allow the system to boot.

Which types of pre-boot authentication methods are supported with TPM?

  • Pre-Boot bypass (a.k.a. "WIL") Note: The software hardware hash is disabled when the TPM is in effect.
  • Password authentication.
  • Dynamic Token (a.k.a. "X9.9 Tokens").

What are the minimum system requirements?

  • TPM specification 1.2 and Windows 7 or greater. See release notes for specific release version compatibility.
  • The TPM must be enabled, active, and ownership must have been taken.
  • The task of putting the TPM in working order is compatible with the way Windows handles the TPM.
  • The TPM Storage Root Key must be compatible with Windows

Endpoint Security Server versions support:

  • R77.20.01
  • R77.30.01
  • R77.30.02
  • R77.30.03
  • R80.20.Mx
  • R80.30
  • R80.40
  • R81
  • R81.10

Does Remote Help work?

Yes. If the user is locked out due to a TPM issue, a successful remote-help sequence will enable the user to either reset his password or perform a one-time logon. TPM support will be re-enabled automatically if the TPM hardware is in working order.

Does recovery work?

Yes.

Are TPM-based keys necessary for recovery?

No, the recovery procedure uses the disk keys that are escrowed in the Check Point management server directly without TPM involvement.

Does the Dynamic Mount Utility and/or drive slaving work?

Yes, mounting with a recovery file.

Can TPM support be disabled for maintenance tasks?

Yes either by changing the policy or by executing the "fdecontrol" program. The fdecontrol program allows for scripted temporary TPM support disabling/enabling during scheduled system maintenance.

Does the enablement of TPM support differ on different system architectures?

On UEFI systems the TPM support is enabled immediately following the policy enforcement.

On BIOS systems all disks must be fully encrypted before TPM support is enabled. This is due to how the full disk encryption software store encryption status information in boot records on BIOS machines.

How can TPM status be inspected?

TPM status can be inspected in the SmartEndpoint management console or in the local "tray" UI.

Does the TPM affect performance?

The TPM is only used during the boot and authentication phase where it can have a small impact on performance. During disk encryption/decryption in the OS (Windows) there is no impact on performance.

TPM policy status UI status states explanation:

  • "TPM Policy applied" – The TPM protection is in effect.
  • "TPM not enabled by policy" – The policy does not state use of TPM protection.
  • "Encryption State Prevents TPM" – On BIOS based machines the TPM protection can't be enabled while the background encryption is running. When encryption has reached 100% and the machine is rebooted TPM protection will be enabled. Note that reboot is not forced by FDE, instead it is automatically applied at the first reboot when all pre-conditions are met.
  • "TPM Hardware not ready" – The TPM hardware is not fully enabled.
  • "TPM Measurements incomplete" – The TPM has not been enabled during the boot process and there is not enough measurements to enable TPM protection.
  • "TPM prevented on client" – The fdecontrol program was used locally to disable the TPM protection.

 

Related references:

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment